Total
7754 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49181 | 1 Sick | 1 Media Server | 2026-02-03 | 8.6 High |
| Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service attack. | ||||
| CVE-2022-2552 | 1 Awesomemotive | 1 Duplicator | 2026-02-02 | 5.3 Medium |
| The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. | ||||
| CVE-2025-70985 | 2 Ruoyi, Y Project | 2 Ruoyi, Ruoyi | 2026-01-30 | 9.1 Critical |
| Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope. | ||||
| CVE-2025-70986 | 1 Ruoyi | 1 Ruoyi | 2026-01-30 | 7.5 High |
| Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data. | ||||
| CVE-2025-68479 | 1 Discourse | 1 Discourse | 2026-01-30 | 7.1 High |
| Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | ||||
| CVE-2023-3426 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | 4.3 Medium |
| The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations. | ||||
| CVE-2022-47425 | 2 Reputeinfosystems, Wordpress | 2 Armember, Wordpress | 2026-01-30 | 4.3 Medium |
| Missing Authorization vulnerability in Repute Infosystems ARMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember: from n/a through 3.4.10. | ||||
| CVE-2025-65098 | 1 Typebot | 1 Typebot | 2026-01-30 | 7.4 High |
| Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue. | ||||
| CVE-2025-54943 | 1 Sun.net | 1 Ehrd Ctms | 2026-01-30 | 9.8 Critical |
| A missing authorization vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to perform unauthorized application deployment due to the absence of proper access control checks. | ||||
| CVE-2025-5885 | 1 Konicaminolta | 1 Bizhub | 2026-01-30 | 4.3 Medium |
| A vulnerability has been found in Konica Minolta bizhub up to 20250202 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-39650 | 2 Wpweb, Wpwebelite | 2 Woocommerce Pdf Vouchers, Woocommerce Pdf Vouchers | 2026-01-26 | 7.3 High |
| Missing Authorization vulnerability in WPWeb Elite WooCommerce PDF Vouchers allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WooCommerce PDF Vouchers: from n/a through 4.9.4. | ||||
| CVE-2024-43274 | 2 Joomsky, Jshelpdesk | 2 Js Help Desk, Jshelpdesk | 2026-01-26 | 5.8 Medium |
| Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.8.6. | ||||
| CVE-2025-12519 | 1 Centreon | 2 Centreon, Centreon Web | 2026-01-26 | 5.3 Medium |
| Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | ||||
| CVE-2025-59968 | 1 Juniper | 21 Junos, Junos Space, Space Security Director and 18 more | 2026-01-23 | 8.6 High |
| A Missing Authorization vulnerability in the Juniper Networks Junos Space Security Director allows an unauthenticated network-based attacker to read or modify metadata via the web interface. Tampering with this metadata can result in managed SRX Series devices permitting network traffic that should otherwise be blocked by policy, effectively bypassing intended security controls. This issue affects Junos Space Security Director * all versions prior to 24.1R3 Patch V4 This issue does not affect managed cSRX Series devices. | ||||
| CVE-2023-47788 | 2 Automattic, Wordpress | 2 Jetpack, Wordpress | 2026-01-23 | 4.3 Medium |
| Missing Authorization vulnerability in Automattic Jetpack.This issue affects Jetpack: from n/a before 12.7. | ||||
| CVE-2025-13781 | 1 Gitlab | 1 Gitlab | 2026-01-22 | 6.5 Medium |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations. | ||||
| CVE-2025-13772 | 1 Gitlab | 1 Gitlab | 2026-01-22 | 7.1 High |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests. | ||||
| CVE-2025-64729 | 1 Aveva | 1 Process Optimization | 2026-01-22 | 8.1 High |
| The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files. | ||||
| CVE-2025-8944 | 2 Oceanwp, Wordpress | 3 Oceanwp, Oceanwp Plugin, Wordpress | 2026-01-20 | 4.3 Medium |
| The OceanWP WordPress theme before 4.1.2 is vulnerable to an option update due to a missing capability check on one of its AJAX request handler, allowing any authenticated users, such as subscriber to update the darkMod` setting. | ||||
| CVE-2025-15235 | 2 Quanta Computer, Quantatw | 2 Qoca Aim Ai Medical Cloud Platform, Qoca Aim | 2026-01-20 | 6.5 Medium |
| QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Missing Authorization vulnerability, allowing authenticated remote attackers to modify specific network packet parameters, enabling certain system functions to access other users' files. | ||||